CVE-2019-5138

Name of the Vulnerable Software and Affected Versions Moxa AWK-3131A firmware version 1.13

Description An exploitable command injection vulnerability exists in the encrypted diagnostic script functionality. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic scripts while authenticated as a low-privilege user to trigger this issue. The vulnerability is due to the lack of neutralization of special elements used in the operating system command.

Recommendations For Moxa AWK-3131A firmware version 1.13, consider disabling the diagnostic script functionality until a patch is available to prevent exploitation. Restrict access to the device to minimize the risk of remote control. Avoid using the busybox commands in the diagnostic script file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.